System and method for discovery of network entities

ABSTRACT

A system and method of discovering network entities. Network traffic is monitored, wherein monitoring includes finding network entities in the network traffic. If the network entities are network assets, the system determines if the network entities are critical network assets. If the network entities are network users, the system classifies the network users automatically into user groups. The network traffic is then displayed as a function of the critical network assets and the user groups.

RELATED APPLICATION

This patent application claims the priority benefit of U.S. ProvisionalPatent Application Ser. No. 61/054,945 filed May 21, 2008 and entitled“ENHANCED DISCOVERY WITH IDENTITIES”, the content of which isincorporated herein by reference in its entirety.

TECHNICAL FIELD

The disclosure relates generally to network security and in particularto systems and methods for network discovery.

LIMITED COPYRIGHT WAIVER

A portion of the disclosure of this patent document contains material towhich the claim of copyright protection is made. The copyright owner hasno objection to the facsimile reproduction by any person of the patentdocument or the patent disclosure, as it appears in the U.S. Patent andTrademark Office file or records, but reserves all other rightswhatsoever.

BACKGROUND

Companies today face the task of continuously monitoring and verifyingwho is accessing critical business systems, what they are doing duringeach access and where they are accessing from. The challenge is that,when manually attempted, visibility into your network and your criticalbusiness applications is often nothing more than a static,after-the-fact “snapshot in time.” U.S. patent application Ser. No.11/854,392, entitled “Identities Correlation Infrastructure for PassiveNetwork Monitoring”, filed Sep. 12, 2007, describes, however, oneapproach for identifying and continuously monitoring user access tocritical business systems, the description of which is incorporatedherein by reference.

The systems proposed to date require administrators to identify usersand group them with other users. In addition, the systems to datepresent data in ways that can be difficult to understand. What is neededis a system and method for identifying and classifying users, and formonitoring network activity as a function of the classifications ofnetwork users. What is also needed is a system and method for displayingnetwork activity based on identified groups of users in a clear andconcise manner. Finally, what is needed is a system and method forcontrolling network access as a function of the identified groups ofusers.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1 a and 1 b illustrate computer systems having one or more networkmonitors;

FIGS. 2 a and 2 b illustrate embodiments of the network monitors ofFIGS. 1 a and 1 b;

FIGS. 3-6 a illustrate methods of displaying and controllingidentity-based network traffic;

FIG. 6 b illustrates a method of controlling network behavior;

FIG. 7 illustrates a method of displaying identity-based behavior acrossnetworks connected by one or more firewalls;

FIG. 8 illustrates a method of controlling network behavior acrossnetworks connected by one or more firewalls;

FIGS. 9 a-9 c illustrate methods of assigning users to groups;

FIG. 10 illustrates a method of asset discovery;

FIG. 11 illustrates a method of using discovery for policy development;

FIG. 12 is a schematic diagram illustrating a medium having aninstruction set for implementing the systems and methods described.

DETAILED DESCRIPTION

Unsecured and improper practices by authorized insiders can createsubstantial risk to critical business systems. Outsourcers, offshoredevelopers, contractors, careless employees, partners, joint ventures,and others must be monitored. Yet monitoring security to the standardsrecommended by CERT and others is nearly impossible to do in real timewith traditional security tools. And using log data to get this level ofinformation can drain valuable IT resources while still falling short ofdelivering real-time operational visibility and control.

FIG. 1 a illustrates a system which monitors user behavior to provideautomated, identity-based monitoring of user accesses to criticalbusiness systems. In FIG. 1 a, computer system 100 includes a number ofworkstations 102 and one or more data centers 106 having one or moreservers or mainframes each. Workstations 102 communicate with datacenters 106 over a network 104. In the embodiment shown, some of theworkstations 102 communicated with data center 106 via a firewall 112communicatively coupled to network 104.

In computer system 100 of FIG. 1 a, a network monitor 108 continuouslymonitors network traffic on network 104. In one embodiment, monitor 108includes a data collector (DC) 131 connected to a data analyzer (DA)135. Data collector 131 passively captures network traffic. Dataanalyzer 135 decodes and analyzes the captured network traffic.

In one embodiment, network monitor 108 provides automated,identity-based monitoring to keep computer system 100 in compliance andin control. This comprehensive monitoring solution delivers completevisibility and verification of who is doing what and where on anautomated, continuous, real-time basis. By identity, we mean the actualuser name, group name, and role correlated to behavior and delivered inreal time—not after the fact.

In one embodiment, network monitor 108 communicates with a directoryservice 110 and an authentication service 111 over network 104. In onesuch embodiment, network monitor 108 integrates with existing directorystores, such as Microsoft Active Directory, leveraging actual user andgroup information to dynamically determine when a user accesses thenetwork. In another such embodiment, network monitor 108 integrates withexisting directory stores, such as Microsoft Active Directory,leveraging actual user, group, and role information to dynamicallydetermine when a user accesses the network. Network monitor 108 queriesthe directory in real time, and then correlates users and their groupswith all related access and activity. In one embodiment, user identitycredentials are detected in the traffic without the use of any agents onthe client or server side.

For example, a user named jsmith logs into the network. Network monitor108 identifies this action and immediately determines that jsmith ispart of the marketing group and has a job role that allows her access tothe marketing database and a joint-venture database but not the financedatabase. Network monitor 108 continues to monitor network traffic toensure that jsmith's actions abide by this policy as well as all otherestablished security controls.

In one embodiment, monitors 108 passively capture, decode, and analyzetraffic via native deep packet inspection (DPI). They use port mirroringor passive network taps to obtain full packet data for protocol decodingup to the application layer (layer 7). This level of detail is oftenrequired to ensure a tamperproof view of network activity withincritical data centers and critical business systems.

In one such embodiment, flow monitors within monitor 108 leverageexisting flow-based data from Cisco Netflow, Juniper J-Flow, and othersfor analysis. This broader network view is often useful for gaining acost-effective, enterprise-wide view of who is doing what and from whereacross the entire network, including remote locations.

In another such embodiment, network monitors are used in a “Mixed” modethat combines both DPI and flow-based data.

In one embodiment, network monitor 108 operates on firewall audit logsto analyze traffic through the firewall. In one such embodiment, networkentity discovery (e.g., user discovery or asset discovery) is used todrive security policy for both the network monitor 108 and the firewall112.

In one embodiment, network monitor 108 is part of a tiered architecturethat comprises network monitors 108, control centers and reportappliances. This approach has the deployment advantages of anout-of-band, network-based solution without the need for agents orapplication integration.

In such an approach, network monitors 108 provide the cornerstonemonitoring function. Monitors 108 are network-based and designed tocapture and analyze critical traffic data inside the network using oneof the three methods described above.

As shown in FIG. 1 b, in some embodiments, computer system 100 includestwo or more network monitors 108 and a control center 124. Controlcenter 124 consolidates and centralizes the ongoing monitoring,analysis, and management of all sizes of deployments—everything from afew network monitors 108 to a worldwide deployment of network monitors108.

In one such embodiment, large entities can easily stratify and delegatetheir management capabilities with control center 124. For example, youcould retain the ability to analyze and control network activity at anoverall organizational level while also allowing your various operatingdivisions or security zones to monitor and manage network activitythat's specific to their group.

In one embodiment, as is shown in FIG. 2 a, network monitor 108 includesa discovery module 120 and a control module 122. In one such embodiment,discovery module 120 includes an automated discovery capability thathelps uncover the “who, what, and where” during the planning phase ofchange projects, i.e., determining which users are accessing whatapplications on which computers, without requiring any prior knowledgeof the network behavior. A Discovery Dashboard such as is shown in FIG.3 provides a single view of passively monitored traffic and correlatesuser groups and their associated activity on critical business systems.

In one embodiment, discovery module 120 provides additional analysiscapabilities, including the ability to focus on a single system. Forexample, you could concentrate network monitor 108 on a specific CRM oraccounting system. Likewise, you can use network monitor 108 to discoverall user groups or focus on a specific user group, office location, ornetwork boundary. For instance, you could monitor for salesrepresentatives accessing a particular system from headquarters.Additional information on what users are doing is also provided,including protocol decode, ports, bandwidth, URLs, and commands. Thislevel of detail is extremely useful for network rezoning andsegmentation, or application and server moves that might impact users'ability to access their applications.

As noted above, in some embodiments, network monitor 108 communicatesdirectly with existing network directories, leveraging existing groupsand memberships. Additionally, network monitor 108 may leverage localdirectories for special-purpose groups and memberships.

In one embodiment, control module 122 applies user-based policies andthen graphically illustrates the network usage of users and groups tocritical systems, clearly denoting what activity is acceptable, whatactivity is unacceptable and what activity merits a closer look by thesecurity and operations teams.

FIG. 2 b illustrates one embodiment of network monitor 108. In FIG. 2 b,network monitor 108 includes a discovery data collector (DDC) 130connected to a discovery data store 132 and a policy engine 134. Networkmonitor 108 also includes a Group Based Profiling (GBP) engine 136connected to a control module 138. Control module 138 includes anIdentity Acquisition Agent (IAA) 140, a GBP engine proxy 142 and aservlet module 144. In one embodiment, users communicate with networkmonitor 108 via a web browser 146.

In the embodiment shown, DDC 130 runs on the Monitor and stores its datalocally. In other embodiments, DDC 130 or discovery data store 132 couldbe accessed remotely from network monitor 108. In one such embodiment,control center 124 includes a data store (DS) 126 connected to a dataanalyzer 128 (as shown in FIG. 1 b). Data store 126 stores discoverydata accessed remotely from network monitor 108. Data analyzer 128analyzes the network monitor data.

In the embodiment shown, GBP engine 136 runs on monitor 108, processingthe DDC data in the data discovery data store 132 at the user's request.In one such embodiment, the GBP engine runs as a standalone java daemon,exporting an interface to its client.

In one such embodiment, the UI processes GBP data for the local Monitoronly. In one such embodiment, GBP data generated by the GBP engine inresponse to UI initiated queries is used by servlet module 144 togenerate UI pages that are in turn displayed by a browser.

In some embodiments, as is shown in FIG. 2 b, GBP engine 136 includes aninterface to IAA 140 for obtaining group membership information.

In one embodiment, the GBP engine 136 runs in the Monitor aggregatingand processing data provided by the DDC 130. The GBP engine 136 will bedescribed in greater detail below.

The GBP engine 136 provides an interface to the GBP Engine Proxy 142through which the Web UI components make requests and receive results.

In one embodiment, the GBP Engine Proxy 142 (hereinafter referred to as“proxy 142”) uses a socket interface to communicate with the GBP Engine136. This interface supports multiple concurrent asynchronous requests.Each request to the proxy is made on a separate thread and that threadis blocked until the request is completed, times out or the connectionto the engine is abnormally terminated. Thus, within each socketconnection requests are handled synchronously.

The RPC protocol between the engine and the proxy consists of ahandshake phase followed by a request/response phase. Each connection isinitiated by the proxy and accepted by the engine.

If the engine status is READY the proxy 142 can send a request to beprocessed. In one embodiment, each request is handled synchronously,i.e., a new request cannot be issued until the previous request hascompleted.

Requests and responses are encoded as serialized Java objects using thestandard Java object serialization mechanism.

In one embodiment, the GBP engine 136 is restarted whenever there is aconfiguration change or a policy change.

The GBP engine uses a DDC Read Interface 150 to load into memory all the

DDC records required to perform its functions. A DDC data recordsummarizes the traffic observed between two network endpoints (e.g., auser and a server) for a specific network service over a given timeperiod (e.g., one day). In order to produce results within an acceptabletime period, in one embodiment, the engine caches its working set dataand updates the cache periodically.

Policy management will be discussed next. In one embodiment, The GBPengine loads the current network security policy from the file system.The policy provides GBP engine 136 with information on alreadyidentified network assets, such as Critical Business Systems (CBSs),network services of interest, as well as, currently defined localgroups.

Groups will be discussed next. When computing a set of groups to be usedto classify users, GBP engine 136 takes into account both the user'smembership in network directory groups and the user's membership in anylocal directory groups, such as those defined in policy. Anonymous usersare automatically included in a pre-defined Anonymous group, while usersthat are not members of any directory group considered to be members ofthe Other Groups pre-defined group.

In some embodiments of the network monitor shown in FIG. 2 b, the GBPengine 136 interfaces to the Identity Acquisition Agent (IAA) 140 todetermine the groups of which a user is a member. In some embodiments,users comprise both human users and computers acting as clients ofnetworked resources. The GBP engine 136 requests the followinginformation from the IAA 140:

1) For a given user, the groups of which that user is a member; the setreturned by the IAA represents the transitive closure of the user'sgroup membership, including both network directory groups and localdirectory groups; and

2) For a given group, the number of active users in that group.

In one embodiment, all Identity Acquisition is performed by the IdentityAcquisition Manager (IAM) of IAA 140. The JAM computes the number ofactive users per user group, where an active user is defined as beingone that has been authenticated in the last YY days. This information isprovided to the Identity Acquisition Agent (IAA) 140 periodically. Thenumber of active users in a group need not be updated more than once aweek.

In one embodiment, the IAA access protocol is extended to allow the GBPengine 136 to query the IAA 140 for the current list of groups, theiractive user counts and their list of users.

In one embodiment, Anonymous Intranet users are segregated by IPaddress. An anonymous user whose IP address falls within the Intranet isidentified by its computer's IP address. Thus, in the list of users thatare clients of a service, anonymous Intranet users will be denoted bytheir IP addresses.

On the other hand, Anonymous users outside the Intranet are not uniquelyidentified.

An anonymous Internet user is given the name Internet whereas ananonymous Extranet user receives the name Extranet. Thus, all anonymoususers outside the Intranet coalesce into a single Internet user and asingle Extranet user. However, and optionally, anonymous users may besegregated by their IP addresses, i.e., anonymous Internet and Extranetusers are treated identically to anonymous Intranet users.

When computing group membership, GBP engine 136 also takes into accountand ignores any and all groups that have been dismissed through the GBPUI. The built-in groups Anonymous and Other Groups cannot be dismissed.

As noted above, users that are not members of a network directory groupor a local directory group are considered to be members of the OtherGroups pre-defined group. This may happen because the user is not amember of any valid group, or because all the groups of which a user isa member have been dismissed.

As noted above, a network monitor which analyzes network traffic in themanner described above gives the monitor user the ability to see groupsof users and their behavior across a network. Still, given the quantityof data, it can be difficult to see the forest for the trees. What isneeded is a way of displaying the data that gives the user to areasonable description of network behavior and which allows the user tomodify network behavior based on that description. The problem is, howdo you present as dense a context around network behavior as possible soas to give a good picture of what is going on in the network.

One depiction of network activity is shown in FIG. 3. In this depiction,rows 302 through 309 illustrate groups of users while columns 320-326illustrate critical business systems (CBSs). The intersection 330 ofeach row and column indicate the amount of network activity by thatgroup of users to that CBS. In one embodiment, a bubble is displayed ateach intersection to display, for instance, the number of users in thegroup that are accessing that CBS, or the number of accesses, etc.

The bubble table shown in FIG. 3 provides a field of data cross-matchinggroup access behaviors into specific systems. This data is representedas bubbles as described below, but the table provides both a frameworkand the important context that allows the data to lead users into askingthe right questions around constructing policy for their network.

Any shape could be used at the intersection of each row and column. Inone embodiment, the bubble is used as a visual measure, providinglow-fidelity quantitative information of network activity as filtered bymonitor 108. Multiple bubbles give the user a quick comparison of alarge related data set and steer the questions in their investigation ofidentity policy.

In one embodiment, the bubble is a simple circle. The size of the bubbleis determined by the amount of bandwidth it represents. The shade of thebubble is determined by whether or not there are outliers within thatbubble's data. In one such embodiment, the bubble comes in seven sizes.

In one embodiment, bubble details are presented in the form of atooltip, consistent in display with other tool-tips displayed by monitor108. In one embodiment, bubble details provide the amount of bandwidthshown, the number of users involved, and whether or not there areoutliers to investigate.

In one embodiment, the bubble graph can be constrained by service using,for instance, a pull-down menu 352 (as shown in FIG. 3). In one suchembodiment, pull-down menu 352 only shows services that were activeduring the time being queried.

In one embodiment, pull-down menu 352 displays service as defined inpolicy. If a service is only covered by the highest-level definitions(“Tcp,” “Udp,” “IP”) then they may be further broken down by common IANAservices. For example, if TCP/1521 is not defined in policy, then itwould be reported as the generic “Tcp” service within this widget unlessit also relates to a common IANA service.

In one embodiment, clicking on the user group brings up a box 340 withinformation regarding the services the user group is accessing. In theembodiment shown, the number of users accessing a particular service isgraphically displayed by increasing or decreasing the size of the bubble360 for that service. In one such embodiment, the visual representationof bad behavior is scaled to the equivalent range of the visualrepresentation of good events such that good events don't swamp badevents. In one embodiment, the color of the bubble is used to indicatewhether the behavior is potentially good or bad. In one such embodiment,a lighter colored bubble indicates potential bad behavior, while adarker bubble indicates expected behavior. Such an approach makes badbehavior obvious.

In addition to color, in one embodiment the bubble is moved along acontinuum line 362 used to indicate if the behavior displayed isexpected or unexpected. Unexpected behavior is noted by color and by thedesignation “Investigate” at the end of the row. (See, e.g., the SecureShell access by users in the Auditing Contractors group to the FinanceServers, a potentially bad behavior for users outside the FinanceDepartment.)

In one embodiment, you can drill down into each bubble to see theevents. In one embodiment, events associated with the users' interactionwith the CBS are displayed in order of criticality when the bubble isclicked. In one embodiment, one can drill down into the services to seethe events, or drill down into the bubble to see events associated withgroups of users.

In one embodiment, the standard bubble graph view is configured by theuser to select the CBSs and Groups that should be displayed (orignored). In one such embodiment, this view is unique to each of thesystem's users. In another embodiment, columns and rows can be draggedand dropped to their intended position so no other configuration processis needed.

In one embodiment, a simple mechanism is included for removing groupsfrom consideration on all discovery data displays. In one suchembodiment, this is done by dismissing a group from the bubble graphand/or the CBS view.

In one embodiment CBSs are displayed left to right in decreasing orderof bandwidth occupied.

In one embodiment, the application makes a clear distinction between theactivities common to most of a group's users of a specific service on aspecific system, who can be considered “mainstream” in their behavior,versus the members of a group whose use of a service on a system greatlydiffers from their peers, who can be considered “outliers” in theirbehavior. In one such embodiment, as is shown in FIG. 6 a, mainstreamand outlier groups are shown in different colors. If a group is both anoutlier and mainstream (for different services, that is) it is displayedin both colors (e.g., as concentric circles). Alternately, bubbleshading across a distinct and obvious continuum as shown in FIGS. 7 and8 can be used to denote the number of users involved in the interactionbetween group and system.

In the embodiment shown in FIG. 3, it is possible to monitor networkbehavior across particular time intervals based on activity that day,the last day, the last three days, the last seven days or the last twoweeks, in addition to free-form time frame selection. A method ofselecting the time period to be analyzed is shown in FIG. 3, where eachday is shown in the timeline 350 at the top of the page. Selectingwithin the segment showing the previous week, automatically causesmonitor 108 to analyze based on the last two weeks. Selecting within thesegment showing days 4-7 automatically causes monitor 108 to analyzebased on the last week. Selecting within the segment showing days 2 and3 automatically causes monitor 108 to analyze based on the three days.Finally selecting day 1 automatically causes monitor 108 to analyzebased on the last day.

In one embodiment, a network traffic indicator for each day indicatesthe amount of traffic saved by monitor 108. The traffic indicator can beused by the user to choose an analysis based on the amount of dataavailable for the given period.

In one embodiment, all selections in timeline 350 are from current hourinto the past. Selection grows to the left and shrinks to the right.Clicking in an unselected timeframe makes it the current selection. Whenthe selection is changed, monitor 108 triggers a query, refreshing pagedata. In one such embodiment, clicking current selection refreshes dataif last-queried data is more than one hour older than current time.

In one embodiment, a data refresh is triggered when the current hourmoves past the last hour.

In one embodiment, when a new timeframe query is made, controller 108waits for three seconds before sending the query. This is an expensivequery. If a new timeframe query comes from the same user before the lastone returns—such as when the user accidentally made the wrongselection—cancel the first query and start the new one.

In the embodiment shown in FIGS. 3-5, the system defaults to displayingall services in all CBSs. By selecting pull-down menu 352, one canselect one service to be analyzed across the CBSs, or a subset ofservices.

In one embodiment, a three-dimensional grid is used to display networkactivity. In one such embodiment, this involves:

creating a grid having a first, second and third axis;

assigning client groups to the first axis;

assigning critical business systems to the second axis;

assigning services to a third axis;

monitoring network traffic;

displaying network traffic on the grid as a function of client group,service and critical business system, wherein displaying includesassociating a point on the first axis with each client group,associating a point on the second axis with each critical businesssystem, associating a point on the third axis with each service anddisplaying a shape at intersections in the grid between points on thefirst, second and third axes, wherein the shape varies in size as afunction of network traffic associated with a particular client groupand a particular critical business system.

In one embodiment, as is shown in FIGS. 3-5, columns have tabbed headers400 indicating the CBS. In one such embodiment, you can click on thetabbed header 400 to see in real-time the services being provided bythat CBS, offering a rich context for a network behavior and its relatedevents within a single page-view. Such an embodiment is shown in FIG. 4.

As can be seen in FIG. 4, in one embodiment, clicking on a column headercauses a box 402 to open below the last row. The box 402 includesinformation as to the services offered by the CBS. By clicking on asystem service in box 402, one can determine the user groups accessingthat particular service on the CBS (window 404). By clicking on aparticular user group in box 402, a window 406 opens listing access bythat user group to all the CBSs in system 100.

This display and drill-down methodology provides a mechanism fororganizing and tracking services and users in computer system 100.

In the embodiment shown in FIG. 5, selecting a column header 400 and arow header 310 results in highlighting both the row and the column, andthe display of network transfer bandwidth 502 associated with theintersection 500. In one embodiment, such a selection results in thedisplay of both box 340 and box 402. In one such embodiment, selectionof an item within either box 340 or box 402 results in a drill down intothe item selected. For example, selection of Secure Shell service accessby the Auditing Contractors Group results in the display of informationsuch as service frequency by particular users in the group.

Also shown on FIG. 5, are policy controls 510 and 512. Policy control510 (labeled “PCI Monitoring”) indicates that this particular servicefor this particular group falls with the PCI Monitoring policy.Selection of control 510 takes the user to another screen that displaysthe policy. Similarly, policy control 512 (labeled “East CoastControls”) indicates that this particular service for this particulargroup is covered by the East Coast Control policy. Selection of control512 takes the user to another screen that displays the East CoastControl policy.

Also shown on FIG. 5, is a control 514 for establishing a thresholdlevel for identifying outliers user groups. In the embodiment shown,control 514 is a line extending across an outlier threshold line foruser groups associated with that service. Selection of control 514allows one to dynamically adjust the outlier threshold by dragging theline right or left.

Once you can display network behavior, it becomes possible to verifytraffic against role-based controls and pre-built security bestpractices. Automated discovery capability helps uncover the “who, what,and where” during the planning phase of change projects, withoutrequiring any rule definition. FIG. 6 a illustrates the results of adiscovery session conducted on a network using network monitor 108. Onceagain, FIG. 6 a illustrates the pull-down menu 352 and the timeline 350,and the column and row structure used to show user access to services onCBSs.

In the approach shown in FIG. 6 a, common or mainstream, user groups areshown as lighter colored bubbles, while outlier user groups are shown asdarker bubbles. This makes is much simpler to distinguish betweengroups.

In one embodiment, network monitor 108 includes a verificationcapability. In some such embodiments, this verification capabilitybuilds on the discovery view. In one embodiment, verificationautomatically verifies traffic against role-based controls and pre-builtsecurity best practices. This verification process can instantlypinpoint and provide real-time alerts on the following representativeexamples:

1) Access by non-authenticating users, such as terminated employees whohave had their access privileges revoked

2) Network access exceptions such as file servers, disallowed networkapplications, and geographically dispersed printers that are notbehaving as expected

3) Verifying access of users that should be on the network, such asreassigned employees or outsourcers who inappropriately, perhapsinadvertently, access systems they shouldn't

4) Unsecured or malicious activities, including tunneling of serviceslike FTP inside of HTTP to transit firewalls

5) Verifying expected usage of administrative protocols or commands,such as web authoring.

The results are shown in a display such as is shown in FIG. 6 b, wherecolor ranges from red through yellow to green as a function of theseverity of potential problems, if any. In the embodiment shown in FIG.6 b, the summary box 602 shows compliance with policy to beapproximately 76.2% for the traffic surveyed. The top ten events areshown at the bottom of the screen (in section 604), sorted in order ofcriticality.

In one embodiment, one can easily switch between discovery andverification modes by selecting discovery tab 600 (for data discovery)or control tab 601 (for policy verification).

FIG. 7 illustrates discovery on a computer system with slightly morethan four days of discovery data.

The above system can be extended beyond network traffic to discover andcontrol firewalls. FIG. 8 illustrates traffic as a function of users(rows) and destinations (columns), with the “What” list listing theservices offered across all the relevant critical business systems. Onceagain, the bubble color is used to indicate information relative to theintersection of the row and column. In the example shown, the bubbleindicates the amount of traffic to that CBS and the color indicateswhether the traffic is allowed or denied.

The timeline 850 in FIG. 8 illustrates a different way of displaying theamount and duration of network traffic. Drop down menus 802, 804 and 806allow the user to select whether to display a single group, a singleservice or a single CBS, respectively.

User Discovery

In a directory-based system such as Active Directory, a user can existin a number of different groups. She may be a member of the FinanceGroup, the Executive Staff, Employees and Headquarters. In the past,systems that wanted to display network activity as a function of userbehavior either had to list all users or all groups or were constrainedto selected users or groups of users preselected by the networkadministrator. Each group-based approach had the limitation that actionsof individual users distributed across multiple groups would beduplicated across each of the user's groups, overemphasizing the effectof that user. What is needed is a system and method for automaticallyassigning users to groups in a way that accurately reflects the actionsof each group and that makes it easy to write security policies thatcover each user. In one embodiment, given the set of users accessing aparticular service on a particular server, we determine the best way togroup the users.

In one embodiment, the GBP engine 136 uses one or more of the followingalgorithms during discovery to determine which groups best represent theclients of a CBS or a CBS-service pair: 1) a group representationalgorithm, 2) a client representation algorithm and 3) a group rankingalgorithm. In one embodiment, the algorithm to be used is selected bythe user.

The Group Representation Algorithm is shown in FIG. 9 a and is asfollows:

Given a target system—CBS or group of CBSs, service or group ofservices, or a combination of the two—and a set of clients for thattarget system, compute usage “by group representation” for that targetas follows:

1) Compute (at 910) the set of all the groups of which the clients(users or computers) are members using the group information retrievedfrom the IAA 140, as noted above.

2) For each group, determine (at 915) the ratio of clients that aremembers of the group to the total number of active users of the group;this is termed the percentage of active users.

3) Segregate the groups into two sets: mainstream and outlier.Mainstream Groups are those whose percentage of active users is at orabove a certain threshold value. The threshold value is configurable andvaries depending on the total number of active users in the group. Inone embodiment, the default set of threshold values is 50% for groupsunder 10 active users, 40% for groups between 11 and 100 active users,30% for groups between 101 and 1000 active users, and 25% for groupslarger than 1000 active users. Outlier Groups are those whose percentageof active users falls below this threshold.

4) Within the mainstream groups, sort (at 920) the groups in increasingorder of clients.

5) Within the mainstream groups find (at 925) any and all groups whoseentire set of clients is contained by another (larger) mainstream group;subsume (at 930) the smaller mainstream group into the larger mainstreamgroup.

6) Sort (at 935) the mainstream groups in descending order of percentageof active users;

7) In the mainstream groups, assign (at 940) each client to one and onlyone group, giving priority to the groups with the highest percentage ofactive users, i.e., groups higher in the sorted list;

8) After this step is performed, any mainstream group that falls belowthe threshold of active users is moved (at 945) to the outliers group.

9) Remove from the outlier groups (at 950) all clients that have beenaccounted for (i.e., are members of) any of the mainstream groups.

10) Sort the outlier groups (at 955) in descending order of percentageof active users.

11) Assign (at 960) each client to one and only one outlier group,giving priority to the groups with the highest percentage of activeusers, i.e., groups higher in the sorted list.

The result is a set of user groups for each particular target. Theassignment of clients to user groups is a function of target and maychange as monitor 108 filters network traffic by target.

The following example illustrates the Group Representation Algorithm:

Discovery Data indicates that a Web Server has 15 distinct clients asfollows:

-   -   a) 8 clients are members of the Quality Assurance, Engineering        and Corporate Employees groups;    -   b) 2 clients are members of the Engineering and Corporate        Employees group;    -   c) 5 clients are members of the Corporate Employees group.

The composition of these groups is as follows:

-   -   a) The Quality Assurance group has 8 active users;    -   b) The Engineering group has 20 active users;    -   c) The Corporate Employees group has 100 active users.

Thus, the percentage of active users for each group is:

-   -   a) Quality Assurance: 8 out of 8=100%    -   b) Engineering: 10 out of 20=50%    -   c) Corporate Employees: 15 out of 100=15%

Both the Quality Assurance and the Engineering groups are mainstreamgroups while the Corporate Employees group is an outlier. However,because all members of the Quality Assurance group are also members ofthe Engineering group, the former is subsumed by the latter. Thus, afterapplying the algorithm noted above, Web Server's clients are assigned togroups as follows:

-   -   a) 10 clients are assigned to the Engineering group which is        designated a mainstream group;    -   b) 5 clients are assigned to the Corporate Employees group which        is designated an outlier group.

The Client Representation Algorithm will be described next. Thisalgorithm presents different sets of groups that best represent theclient set based on different aggregation levels. An aggregation leveldenotes the ratio of clients that are members of that group to the totalnumber of clients. In one embodiment, three levels are defined:

-   -   1—groups that represent 33% or less of the clients;    -   2—groups that represent between 34% and 66% of the clients;    -   3—groups that represent between 67% and 100% of the clients;

The algorithm is shown in FIG. 9 b and is as follows:

1) Compute (at 1010) the set of all the groups of which the clients(users or computers) are members using the group information retrievedfrom the IAA 140, as noted above.

2) For each group, determine (at 1020) the ratio of clients that aremembers of the group to the total number of clients; this is termed thepercentage of clients. Map this value into an aggregation level.

3) Aggregate (at 1030) all the groups into aggregation levels and selectan aggregation level as the selected aggregation level.

4) Sort (at 1040) the selected groups in decreasing order of percentageof clients.

5) Within the selected group, assign each client to one and only onegroup, giving priority (at 1050) to the groups with the highestpercentage of clients; if a selected group's aggregation level fallsbelow the selected aggregation level, move it back to the remaining setof groups.

6) Remove (at 1060) all the clients assigned to the selected groups fromthe remaining groups.

7) Repeat (at 1070) previous 3 steps until there aren't any groups whoseaggregation level matches the selected aggregation level.

8) At 1080, increase the aggregation level by one, making it theselected aggregation level, and repeat the procedure starting at step 3.Once the aggregation level has reached its highest value (3), decreaseit by one at every iteration until the lowest aggregation level (1) hasbeen reached or the set of groups remaining to be processed is empty.

After applying the above algorithm, any groups whose percentage ofclients falls outside the selected aggregation level are consideredoutliers.

The following example illustrates the Client Representation Algorithm:

Discovery Data indicates that a Web Server has 15 distinct clients asfollows:

-   -   a) 8 clients are members of the Quality Assurance, Engineering        and Corporate Employees groups;    -   b) 2 clients are members of the Engineering and Corporate        Employees group;    -   c) 5 clients are members of the Corporate Employees group.

The percentage of clients for each group is:

-   -   a) Quality Assurance: 8 out of 15=53% (aggregation level 2)    -   b) Engineering: 10 out of 15=66% (aggregation level 2)    -   c) Corporate Employees: 15 out of 15=100% (aggregation level 3)

If the selected aggregation level is 1 (0-33%), none of the groups fallunder this aggregation level, therefore, all groups are designatedoutliers. The assignment of clients to groups proceeds as underaggregation level 2 below. If the selected aggregation level is 2(34-66%), both Quality Assurance and Engineering fall under thisaggregation level. Engineering represents a higher percentage of clientsand is picked to represent 10 out of the 15 total number of clients.Quality Assurance is left with 0 (zero) clients and Corporate Employeesaccounts for the remaining 5 clients which represent 33% of the totalclients (aggregation level 1). The algorithm attempts to select groupswith next higher aggregation level (3) and, failing to find any, reducesthe aggregation level first to 2 and then to 1 where Corporate Employeesis selected as representative of the remaining 5 clients. Engineering isdesignated a mainstream group and Corporate Employees is designated anoutlier.

If the selected aggregation level is 3 (67-100%), only CorporateEmployees falls under this aggregation level. Since it accounts for 100%of the clients it is designated a mainstream group and no groups aredesignated outliers.

A Group Ranking Algorithm (1100) will be discussed next. As can be seenin FIG. 9 c,

1) Compute (at 1110) the set of all the groups of which the clients(users or computers) are members using the group information retrievedfrom the IAA 140, as noted above.

2) For each group, retrieve from the IAA (at 1115) the count of groupmembers that are active users.

3) Order (at 1120) the groups by increasing number of active users suchthat a group with a small number of active users ranks higher than agroup with a larger number of active users.

4) Assign each user to the highest ranked group of which he is a member.

The following example illustrates the Group Ranking Algorithm:

Discovery Data indicates that a Web Server has 15 distinct clients whoare members of 3 different groups whose composition is as follows:

-   -   a) The Quality Assurance group has 8 active users;    -   b) The Engineering group has 20 active users;    -   c) The Corporate Employees group has 100 active users.

Thus, ordering the groups by increasing number of active users yields:

-   -   1. Quality Assurance (8)    -   2. Engineering (20)    -   3. Corporate Employees (100)

As a result, any client who is a member of Quality Assurance will beassigned to the Quality Assurance group regardless of any other groupmembership. Likewise, any client who is a member of Engineering (but notQuality Assurance) is assigned to the Engineering group. All otherclients are assigned to the Corporate Employees group.

Asset Discovery

In one embodiment, the GBP engine 136 uses an asset discovery algorithmduring discovery to determine which CBSs to include in the list ofCritical Business Systems.

In one embodiment of the invention, CBS discovery is automated from the

DDC information, as follows.

At 1210, network traffic is reviewed for potential critical assets.

At 1220, the number of events for each asset found is compared to thenumber of events of all assets found to determine if the asset is acritical asset. If not, control moves to 1260.

If, at 1220, the number of events for each asset found indicates thatthe asset is a critical asset, control moves to 1230. At 1230, thenumber of packets for each asset found is compared to the number ofpackets of all assets found to determine if the asset is a criticalasset. If not, control moves to 1260.

If, at 1230, the number of packets for each asset found indicates thatthe asset is a critical asset, control moves to 1240 and the asset isdesignated a critical asset (or Critical Business System (CBS)). In oneembodiment, an asset is a critical asset if the events per asset of thisasset places the asset in the top P1 percentile of all the assets foundand if the packets per asset of this asset places the asset in the topP2 percentile of all the assets found. In one such embodiment, P1 and P2equal 90%. Control then moves to 1250 and the process is repeated untilall assets found have been reviewed.

At 1260, the number of users accessing each asset is compared to thenumber of users accessing each of the other assets found to determine ifthe asset is a critical asset. If not, control moves to 1250.

If, at 1260, the number of users accessing each asset found indicatesthat the asset is a critical asset, control moves to 1270. At 1270, thenumber of packets for each asset found is compared to the number ofpackets of all assets found to determine if the asset is a criticalasset. If not, control moves to 1260. Note: this test may use differentparameters than the test at 1230.

If, at 1270, the number of packets for each asset found indicates thatthe asset is a critical asset, control moves to 1240 and the asset isdesignated a critical asset (or Critical Business System (CBS)). In oneembodiment, an asset is a critical asset if the users per asset of thisasset places the asset in the top P3 percentile of all the assets foundand if the packets per asset of this asset places the asset in the topP4 percentile of all the assets found. In one such embodiment, P3 and P4equal 75%. Control then moves to 1250 and the process is repeated untilall assets found have been reviewed.

In one embodiment, for each DDC data set, the monitor 108 computeshistograms for the number of events, the number of packets, and thenumber of clients. For example, one histogram lists how many hosts have1-100 events, how many 100-200 events, and so on. For purposes of CBSdiscovery, these numbers are summed over all the services accessing theCBS.

From the histogram data, a percentile may be computed by dividing thedomain of the data into 100 parts.

From this histogram data, CBSs are assigned as follows:

Hosts above a fixed percentile of events AND of packets (setintersection) are considered to be CBSs. In one embodiment, this fixedpercentile is 90 percent.

Hosts with at least a fixed percentile of number of users, also having asecond fixed percentile of packets are considered to be CBSs. In oneembodiment, the fixed percentile and second fixed percentile are both 75percent.

In one embodiment of the invention, this algorithm is applied tosubsequent DDC data sets, and newly discovered CBSs are merged in withthose discovered in previous applications of the algorithm.

In one embodiment of the invention, the monitor 108 ignores DDC datasets unless minimum number of events, packets and users appear in thedata.

In one embodiment of the invention, the monitor 108 ignores DDC datasets until a fixed time interval has passed after system startup.

In one embodiment of the invention, the monitor 108 maintains a list ofhosts that are excluded from consideration as CBSs, such as hosts thatare members of a DHCP pool.

In one embodiment of the invention, the monitor 108 additionallyrequires that a CBS be derived from a DDC data set more than a minimumnumber of times, such as 2, in an interval of time, such as one day, orit is excluded from consideration.

In one embodiment of the invention, the monitor 108 removes CBSs fromits list of previously discovered CBSs if they fail to be identified asCBSs more than a minimum number of times per day, such as 3.

In one embodiment of the invention, CBS discovery is performed based ona template of services. The templates are created by the networkadministrator. Each template indicates a list of services and the kindof CBS that corresponds to this list. For example, a Microsoft ExchangeServer might include the services: SMB, SMTP, POP, IMAP, RPC. For eachhost in each DDC data set, the monitor 108 computes the total servicesexported by that host, and compares this to each template. Hosts thatmatch are considered to be CBSs.

-   -   Discovery for Policy Development

In one embodiment, assigning users to groups that best represent themusing the Group Representation Algorithm, the Client RepresentationAlgorithm or the Group Ranking Algorithm allows a network administratorto determine how the resources of the network's critical businesssystems are being used and tailor policy controls that enableappropriate use while preventing undesirable access behavior, as in anetwork monitoring system or a firewall.

This process of policy definition and refinement is greatly enhanced andsimplified by the application's ability to automatically segregate usersinto mainstream groups and outlier groups. In one embodiment, thenetwork administrator automatically creates policy controls that enablemainstream groups to access the network resources. Clients that belongto outlier groups are scrutinized and, if deemed to be legitimate usersof the resource, the outlier group is sub-divided to include just theset of users that are authorized.

In one embodiment, as is shown in FIG. 11, the policy refinementworkflow, using the GBP UI, is thus:

1. Select a timeframe for traffic analysis; this timeframe should besufficiently long to allow for the collection of a representative sampleof traffic, such as one week. Then monitor (at 1310) network traffic forthe selected timeframe.

2. Select, at 1315, a CBS for which additional policy controls aredesirable; this selection may be based on amount of traffic to that CBSor the number of users that are clients of the CBS, or it may bedetermined by the relative importance of the CBS.

3. Select, at 1320, a service offered by the CBS and review, at 1325.the group assignments presented by the application using the GroupRepresentation Algorithm, classify, at 1330, each user group as eithermainstream or outlier:

-   -   a. If, at 1335, a very small number of mainstream groups are        presented and there are no outlier groups, automatically create        policy controls at 1340 for the mainstream groups.    -   b. If, at 1335, there is a mix of mainstream and outlier groups        presented, use the Client Representation Algorithm at 1345 to        determine at 1350 if there is a group, or small number of        groups, that comprises the entire client set without any one        group being overly broad (e.g., if the only available user group        that contains both user groups “Finance” and “Marketing” was the        user group “Employees,” that could potentially be overly broad.        Cross-check access by this group to the same or similar services        against other CBSs to further substantiate the presumed access        rights. If such a group (or groups) is found, create the        corresponding policy controls at 1340.    -   c. If the Client Representation Algorithm does not yield a        strong set of candidate groups, or the groups presented by the        Group Representation Algorithm are all outliers, create at 1360        one or more new groups that are a better fit to the client set        and recompute the assignment of clients to groups at 1325 using        the new groups.

The identity-aware network monitoring system and method described abovehelps lower cost and enable faster and broader deployment of visibilityinto “who is doing what and where” across applications and networks.

Ultimately, the systems and methods described above help increaseefficiency and compliance by:

Replacing time-intensive manual discovery surveys

Simplifying the process of defining identity-based controls

Dispensing with the inaccurate manual verification of logs

Decreasing investigation time for access violations with correlated data

Reducing disruption of erroneous infrastructure and access changes

Monitor and control access to network resources without applicationrecoding

At the same time, the systems and methods described above help reducerisk by:

Detecting inappropriate user behavior after network authentication andauthorization

Eliminating the bypassing of security gateways and access controls

Compensating control for unprotected custom applications

Detecting abuses from deprovisioned users and users assigned to newroles

Monitoring the use of privileged accounts.

FIG. 12 is a schematic diagram illustrating a medium having aninstruction set that results in an identity-aware network monitoringsystem and method according to an example embodiment. A machine-readablemedium 1400 includes any type of storage medium such as a disk drive ora solid state memory device, or the like. A machine-readable medium 1400includes instructions within an instruction set 1450. The instructionset 1450, when executed by a machine such as an information handlingsystem or a processor, cause the machine to perform operations such asdisplaying identity-based network behavior and controlling access to andbehavior of networks as a function of observed identity-based networkbehavior.

In an example embodiment of a machine-readable medium 1400 that includesthe instruction set 1450, the instructions, when executed by a machine,cause the machine to perform operations such as automatic grouping ofusers in groups and automatic discovery of network assets and networkpolicy.

Thus, methods and a machine-readable medium including instructions fordisplaying and controlling network behavior based on identity have beendescribed. Although the various methods for electing a displaying andcontrolling network behavior based on identity have been described withreference to specific example embodiments, it will be evident thatvarious modifications and changes may be made to these embodimentswithout departing from the broader embodiment of the disclosed subjectmatter. Accordingly, the specification and drawings are to be regardedin an illustrative rather than a restrictive sense.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement that achieve the same purpose, structure, orfunction may be substituted for the specific embodiments shown. Thisapplication is intended to cover any adaptations or variations of theexample embodiments of the invention described herein. It is intendedthat this invention be limited only by the claims, and the full scope ofequivalents thereof.

1. In a network having a plurality network entities, including networkusers and network assets, a method of discovering network entities,comprising: monitoring network traffic, wherein monitoring includesfinding network entities in the network traffic; if the network entitiesare network assets, determining if the network entities are criticalnetwork assets; and if the network entities are network users,classifying the network users automatically into user groups; anddisplaying the network traffic as a function of the critical networkassets and the user groups.
 2. The method of claim 1, whereinclassifying the network users into user groups automatically,comprising: assigning clients to user groups, wherein assigning clientsto user groups includes assigning one or more clients to multiple usergroups; sorting the groups; and processing the groups so that eachclient is a member of a single group.
 3. The method of claim 2, whereinsorting the groups includes sorting clients into mainstream groups andoutlier groups.
 4. The method of claim 3, wherein sorting the groupsincludes applying a client representation algorithm to the groups. 5.The method of claim 3, wherein sorting the groups includes applying agroup representation algorithm to the groups.
 6. The method of claim 2,wherein sorting the groups includes: determining, for each group, apercentage of active users; sorting the groups in descending order ofpercentage of active users; and assigning each client to a single group,giving priority to the groups with the highest percentage of activeusers.
 7. The method of claim 1, wherein determining if the networkentities are critical network assets includes: determining, for each ofthe network assets, events, packets and users per network asset; foreach network asset found in the network traffic, if the events per assetof the asset are greater than the events per asset of a first percentileof all assets found in the network traffic and if the packets per assetof the asset are greater than the packets per asset of a secondpercentile of all assets found in the network traffic, designating saidasset as a critical asset; and for each network asset found in thenetwork traffic, if the users per asset of the asset are greater thanthe users per asset of a third percentile of all assets found in thenetwork traffic and if the packets per asset of the asset are greaterthan the packets per asset of a fourth percentile of all assets found inthe network traffic, designating said asset as a critical asset.
 8. In anetwork having a plurality network entities, including network users andnetwork assets, a network monitor, comprising: a data collector, whereinthe data collector captures information indicative of network traffic;and a data analyzer connected to the data collector, wherein the dataanalyzer decodes and analyzes the information captured by the datacollector; a processor connected to the data analyzer, wherein theprocessor finds network entities in the network traffic and wherein: ifthe network entities are network assets, the processor determines if thenetwork entities are critical network assets; and if the networkentities are network users, classifying the network users automaticallyinto user groups; and a user interface connected to the processor,wherein the user interface displays the network traffic as a function ofthe critical network assets and the user groups.
 9. A method ofdiscovering a network policy, comprising: selecting a timeframe fortraffic analysis; selecting a critical business system for whichadditional policy controls are desirable; selecting a service offered bythe CBS; displaying user group assignments associated with the service;and creating policy controls for the service, wherein creating policycontrols for the service includes: automatically classifying user groupsas mainstream or outlier based on the group representation algorithm;and if there are no outlier groups, creating policy controlsautomatically for the mainstream groups.
 10. The method of claim 9,wherein creating policy controls includes checking access controls tosimilar service on other critical business systems to substantiate thecreated policy controls.
 11. The method of claim 9, wherein the methodfurther comprises: if there are outlier groups and mainstream groups,determining, based on the client representation algorithm, whether thereare one or more groups that cover the client set without any one groupbeing overly broad and, if so, creating policy controls associated withthe one or more groups; and if there are outlier groups and mainstreamgroups and one cannot cover the client set without any one group beingoverly broad, adding new user groups.
 12. A method of displayingidentity-based network behavior, comprising: creating a grid having afirst and a second axis; assigning client groups to the first axis;assigning critical business systems to the second axis; monitoringnetwork traffic; displaying the network traffic on the grid as afunction of client group and critical business system, whereindisplaying includes associating a point on the first axis with eachclient group, associating a point on the second axis with each criticalbusiness system and displaying a shape at intersections in the gridbetween points on the first and second axes, wherein the shape varies insize as a function of network traffic associated with a particularclient group and a particular critical business system; and displayingthe network traffic graphically as an extended timeline of trend data,wherein the timeline of trend data includes clear gradations of timeperiods, wherein the clear gradations of time periods are used to selectdata sets associated with the time periods for display on the grid. 13.The method of claim 12, wherein displaying a shape includes filteringnetwork traffic that is not likely to be a problem.
 14. The method ofclaim 12, wherein displaying a shape includes filtering by one or moreservices observed in the network traffic.
 15. The method of claim 14,wherein filtering can be constrained by the user to retain informationon critical business systems.
 16. The method of claim 12, whereindisplaying the network traffic includes displaying points on each axiswith labeled tabs such that selection of a tab results in dynamicdisplay of corresponding data in a separate window on the same screen.17. The method of claim 12, wherein displaying a shape at intersectionsin the grid between points on the first and second axes includesresponding to selection of the bubble by displaying in separate windows,on the same screen as the grid, data corresponding to the criticalbusiness system associated with the intersection and data correspondingto the user group associated with the intersection.
 18. The method ofclaim 17, wherein the critical business system window and the user groupwindow both highlight data relating to the intersection.
 19. The methodof claim 12, wherein assigning client groups to the first axis includesperforming user discovery automatically to derive the client groups. 20.The method of claim 12, wherein assigning critical business systems tothe second axis includes performing asset discovery automatically todetermine the critical business systems.
 21. The method of claim 12,wherein the size of the shape is a function of the number of uniqueusers associated with a particular client group and a particularcritical business system.
 22. The method of claim 12, wherein thedynamic display of corresponding data in a separate window includesdisplay of policy controls, wherein the policy controls are associatedwith a specific service used by a particular group within a particularsystem and wherein the policy controls are displayed as an entity thatcan be selected for subsequent monitoring and control of the policy. 23.The method of claim 12, wherein the dynamic display of correspondingdata in a separate window includes display of outlier thresholdcontrols, wherein the outlier threshold controls are associated with aspecific service within a particular system and wherein the outlierthreshold controls can be actuated to dynamically adjust the outlierthreshold.
 24. An article comprising a computer readable medium havinginstructions thereon, wherein the instructions, when executed by amachine, create a system for executing the method of claim
 12. 25. Amethod of displaying identity-based network behavior, comprising:creating a grid having a first, second and third axis; assigning clientgroups to the first axis; assigning critical business systems to thesecond axis; assigning services to a third axis; monitoring networktraffic; displaying network traffic on the grid as a function of clientgroup, service and critical business system, wherein displaying includesassociating a point on the first axis with each client group,associating a point on the second axis with each critical businesssystem, associating a point on the third axis with each service anddisplaying a shape at intersections in the grid between points on thefirst, second and third axes, wherein the shape varies in size as afunction of network traffic associated with a particular client group, aparticular service and a particular critical business system.
 26. Themethod of claim 25, wherein displaying a shape includes filteringnetwork traffic that is not likely to be a problem.
 27. The method ofclaim 25, wherein displaying a shape includes filtering by one or moreservices observed in the network traffic.
 28. The method of claim 27,wherein filtering can be constrained by the user to retain informationon critical business systems.
 29. A method of controlling a network,comprising: storing information on network traffic; displaying theinformation as identity-based network behavior, wherein displayingincludes: determining if network assets are critical network assets;classifying the network users automatically into user groups; anddisplaying the network traffic as a function of the critical networkassets and the user groups.
 30. The method of claim 29, wherein storingincludes applying heuristics to filter network traffic.
 31. The methodof claim 29, wherein classifying the network users automatically intouser groups includes classifying user groups as mainstream or outlier.32. A method of classifying clients into user groups automatically,comprising: assigning clients to user groups, wherein assigning clientsto user groups includes assigning one or more clients to multiple usergroups; sorting the groups; and processing the groups so that eachclient is a member of a single group.
 33. The method of claim 32,wherein sorting the groups includes sorting clients into mainstreamgroups and outlier groups.
 34. The method of claim 32, wherein sortingthe groups includes: determining, for each group, a percentage of activeusers; identifying mainstream groups, wherein mainstream groups areclient groups with percentages of active users above a pre-definedthreshold; eliminating mainstream groups whose clients are all membersof a larger mainstream group; and sorting the remaining mainstreamgroups in descending order of percentage of active users; and whereinprocessing the groups so that each client is a member of a single groupincludes: assigning each client in one or more mainstream groups to asingle mainstream group, giving priority to the mainstream groups withthe highest percentage of active users; determining if any of the clientgroups have a percentage of active users below the pre-definedthreshold; if any of the client groups have a percentage of active usersbelow the pre-defined threshold, reclassifying those client groups asoutlier groups; removing from the outlier groups all clients that aremembers of one of the remaining mainstream groups; sorting the outliergroups in descending order of percentage of active users; and assigningeach client in one or more outlier groups to a single outlier group,giving priority to the outlier groups with the highest percentage ofactive users.
 35. The method of claim 32, wherein sorting the groupsincludes: calculating, for each group, the ratio of clients that aremembers of the group to the total number of clients; mapping each groupto an aggregation level as a function of the ratio calculated for eachgroup; selecting and processing a selected aggregation level, whereinselecting and processing includes: a) selecting all the groups whoseaggregation level is the same as the selected aggregation level; b)sorting the selected groups in decreasing order of percentage ofclients; c) within the selected groups in the selected aggregationlevel, assign each client to one and only one group, giving priority tothe groups with the highest percentage of clients; d) if the aggregationlevel of a group within the selected group falls below the selectedaggregation level after clients are removed, mapping the group to itsappropriate aggregation level. e) removing all the clients assigned tothe selected groups in the selected aggregation level from the remaininggroups; and f) selecting and processing another aggregation level untileach client is assigned to only one group.
 36. The method of claim 35,wherein selecting and processing another aggregation level includes;determining if the highest level aggregation level has been selected andprocessed; if the highest level aggregation level has not been selectedand processed, determining if the most recent aggregation level selectedis the highest level aggregation level; if the highest level aggregationlevel has not been selected and processed and if the most recentaggregation level selected is not the highest level aggregation level,selecting and processing the aggregation level that is one higher thanthe most recent aggregation level as the selected aggregation level,selecting all the groups whose aggregation level is the same as theselected aggregation level and repeating a-f; and if the highest levelaggregation level has been selected and processed, selecting andprocessing the aggregation level that is one lower than the most recentaggregation level as the selected aggregation level, selecting all thegroups whose aggregation level is the same as the selected aggregationlevel and repeating a-f.
 37. The method of claim 32, wherein sorting thegroups includes: determining, for each group, a percentage of activeusers; sorting the groups in descending order of percentage of activeusers; and assigning each client to a single group, giving priority tothe groups with the highest percentage of active users.
 38. A method ofdiscovering critical assets in a computer network having a plurality ofassets, comprising: monitoring network traffic, wherein monitoringincludes finding assets in the network traffic; determining, for each ofthe assets found in the network traffic, events, packets and users perasset; for each asset found in the network traffic, if the events perasset of the asset are greater than the events per asset of a firstpercentile of all assets found in the network traffic and if the packetsper asset of the asset are greater than the packets per asset of asecond percentile of all assets found in the network traffic,designating said asset as a critical asset; and for each asset found inthe network traffic, if the users per asset of the asset are greaterthan the users per asset of a third percentile of all assets found inthe network traffic and if the packets per asset of the asset aregreater than the packets per asset of a fourth percentile of all assetsfound in the network traffic, designating said asset as a criticalasset.
 39. The method of claim 38, wherein the first and secondpercentiles are set at the 90 percentile while the third and fourthpercentiles are set at the 75^(th) percentile.
 40. The method of claim38, wherein determining includes computing histograms for the number ofevents, the number of packets, and the number of clients.
 41. The methodof claim 38, wherein monitoring further includes storing monitorednetwork traffic over predefined periods of time as data sets and whereinfinding includes determining if subsequent data sets introduce newassets to be considered as critical assets.